[36054] in Kerberos
Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter
daemon@ATHENA.MIT.EDU (Nico Williams)
Tue Apr 15 18:10:46 2014
MIME-Version: 1.0
In-Reply-To: <20140415214849.GA28700@oracle.com>
Date: Tue, 15 Apr 2014 17:10:24 -0500
Message-ID: <CAK3OfOjA+YXJAUqsdHtqVcDw-9jttM+K-mKZoPEY12Wycr8oCQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Apr 15, 2014 at 4:48 PM, Will Fiveash <will.fiveash@oracle.com> wrote:
> On Tue, Apr 15, 2014 at 02:34:11PM -0500, Nico Williams wrote:
>> What should happen is that there should be a way to enroll a device.
>
> If a keytab is really needed. On the otherhand, if a laptop is only
> acting as a client then why bother? Assuming the logged-in user has a
> way of acquiring their krb cred that's all they should need if the
> laptop is acting as a NFS, ssh or any other client that tries to do
> gss/krb auth.
Sure, that's a fair thing to do in the short-term. In the long term I
suspect you'll have many reasons to want to enroll a device (e.g., to
do FAST w/o PKINIT).
And in order to make this short-term fix workable you need a way to
configure the system to make the user's Kerberos credential also be
the system's (root's).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
